Hundreds of duplicated packets when using iptables forwarding

Tue, 02 Apr 2002 16:48:58 -0800 

             client1(10.9.1.5)
                |
                |
                |
client2------server--------client3
                |
                |
                |
             client4(10.9.1.6)


Here's my setup...  I have multiple clients connecting to a VPN server
using SLAN for the secure connection.  All non-local traffic from the
client is piped through the SLAN interface and sent to the server, which
acts as a gateway.  The problem is getting any of the clients to talk to
any of the others now...  10.9.0.0 addresses are assigned to the VPN
clients... 10.2.0.0 is the local network of the server.

My routing table for the server looks like:
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.2.0.0        0.0.0.0         255.255.0.0     U     0      0        0
eth0
10.9.0.0        0.0.0.0         255.255.0.0     U     0      0        0
slan0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0
lo
0.0.0.0         10.2.1.7        0.0.0.0         UG    0      0        0
eth0


and my ipchains are: ($INTIF = slan0 device, $EXTIF = eth0)  This allows
the server to act as a gateway, but none of my clients can talk to each
other.
 $IPTABLES -P INPUT ACCEPT
 $IPTABLES -F INPUT 
 $IPTABLES -P OUTPUT ACCEPT
 $IPTABLES -F OUTPUT 
 $IPTABLES -P FORWARD DROP
 $IPTABLES -F FORWARD 
 $IPTABLES -t nat -F

 echo "   FWD: Allow all connections OUT and only existing and related
ones IN"
 $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
 $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
 $IPTABLES -A FORWARD -j LOG

 echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
 $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
--------------------------------------------------------------------------------


If I add... very specifically

 $IPTABLES -A FORWARD -i slan0 -s 10.9.1.5 -o slan0 -d 10.9.1.6 -j
ACCEPT
 $IPTABLES -A FORWARD -i slan0 -s 10.9.1.6 -o slan0 -d 10.9.1.5 -j
ACCEPT

                or, generally

 $IPTABLES -A FORWARD -i slan0 -o slan0 -j ACCEPT

They can reach each other, but I get hundreds of duplicate packets (ping
-c 2 10.9.1.5 generatesover a thousand duplicates)  The network is
completely saturated and totally useless for a modem user, and painfully
slow for anyone with a cable modem.

Can anyone please tell me why this is happening and what I can do to
correct it, or at least filter out the extra packets?

Thanks,
-Tim

Reply via email to